Approved ISC2 CAP Testing Software Online

NEW QUESTION 1
In which of the following phases does the SSAA maintenance take place?

• A. Phase 3
• B. Phase 2
• C. Phase 1
• D. Phase 4

Answer: D

NEW QUESTION 2
BS 7799 is an internationally recognized ISM standard that provides high level, conceptual recommendations on enterprise security. BS 7799 is basically divided into three parts. Which of the following statements are true about BS 7799?
Each correct answer represents a complete solution. Choose all that apply.

• A. BS 7799 Part 1 was adopted by ISO as ISO/IEC 27001 in November 2005.
• B. BS 7799 Part 2 was adopted by ISO as ISO/IEC 27001 in November 2005.
• C. BS 7799 Part 1 was a standard originally published as BS 7799 by the British Standards Institute (BSI) in 1995.
• D. BS 7799 Part 3 was published in 2005, covering risk analysis and management.

Answer: BCD

NEW QUESTION 3
Harry is the project manager of the MMQ Construction Project. In this project Harry has identified a supplier who can create stained glass windows for 1,000 window units in the construction project. The supplier is an artist who works by himself, but creates windows for several companies throughout the United States. Management reviews the proposal to use this supplier and while they agree that the supplier is talented, they do not think the artist can fulfill the 1,000 window units in time for the project's deadline. Management asked Harry to find a supplier who will guarantee the completion of the windows by the needed date in the schedule. What risk response has management asked Harry to implement?

• A. Acceptance
• B. Mitigation
• C. Avoidance
• D. Transference

Answer: B

NEW QUESTION 4
Which of the following individuals is responsible for ensuring the security posture of the organization's information system?

• A. Authorizing Official
• B. Chief Information Officer
• C. Security Control Assessor
• D. Common Control Provider

Answer: A

NEW QUESTION 5
Penetration tests are sometimes called white hat attacks because in a pen test, the good guys are attempting to break in. What are the different categories of penetration testing?
Each correct answer represents a complete solution. Choose all that apply.

• A. Full-box
• B. Zero-knowledge test
• C. Full-knowledge test
• D. Open-box
• E. Partial-knowledge test
• F. Closed-box

Answer: BCDEF

NEW QUESTION 6
You are the project manager of QSL project for your organization. You are working you??re your project team and several key stakeholders to create a diagram that shows how various elements of a system interrelate and the mechanism of causation within the system. What diagramming technique are you using as a part of the risk identification process?

• A. Cause and effect diagrams
• B. System or process flowcharts
• C. Predecessor and successor diagramming
• D. Influence diagrams

Answer: B

NEW QUESTION 7
Certification and Accreditation (C&A or CnA) is a process for implementing information security.
Which of the following is the correct order of C&A phases in a DITSCAP assessment?

• A. Definition, Validation, Verification, and Post Accreditation
• B. Verification, Definition, Validation, and Post Accreditation
• C. Definition, Verification, Validation, and Post Accreditation
• D. Verification, Validation, Definition, and Post Accreditation

Answer: C

NEW QUESTION 8
Which of the following is NOT a responsibility of a data owner?

• A. Maintaining and protecting data
• B. Ensuring that the necessary security controls are in place
• C. Delegating responsibility of the day-to-day maintenance of the data protection mechanisms to the data custodian
• D. Approving access requests

Answer: A

NEW QUESTION 9
Gary is the project manager for his project. He and the project team have completed the qualitative risk analysis process and are about to enter the quantitative risk analysis process when
Mary, the project sponsor, wants to know what quantitative risk analysis will review. Which of the following statements best defines what quantitative risk analysis will review?

• A. The quantitative risk analysis seeks to determine the true cost of each identified risk event and the probability of each risk event to determine the risk exposure.
• B. The quantitative risk analysis process will review risk events for their probability and impact on the project objectives.
• C. The quantitative risk analysis reviews the results of risk identification and prepares the project for risk response management.
• D. The quantitative risk analysis process will analyze the effect of risk events that may substantially impact the project's competing demands.

Answer: D

NEW QUESTION 10
System Authorization is the risk management process. System Authorization Plan (SAP) is a comprehensive and uniform approach to the System Authorization Process. What are the different phases of System Authorization Plan?
Each correct answer represents a part of the solution. Choose all that apply.

• A. Pre-certification
• B. Certification
• C. Post-certification
• D. Authorization
• E. Post-Authorization

Answer: ABDE

NEW QUESTION 11
Which of the following NIST documents defines impact?

• A. NIST SP 800-53
• B. NIST SP 800-26
• C. NIST SP 800-30
• D. NIST SP 800-53A

Answer: C

NEW QUESTION 12
Your project uses a piece of equipment that if the temperature of the machine goes above 450 degree Fahrenheit the machine will overheat and have to be shut down for 48 hours. Should this machine overheat even once it will delay the project's end date. You work with your project to create a response that should the temperature of the machine reach 430, the machine will be paused for at least an hour to cool it down. The temperature of 430 is called what?

• A. Risk identification
• B. Risk response
• C. Risk trigger
• D. Risk event

Answer: C

NEW QUESTION 13
You are the project manager for your organization. You are preparing for the quantitative risk analysis. Mark, a project team member, wants to know why you need to do quantitative risk analysis when you just completed qualitative risk analysis. Which one of the following statements best defines what quantitative risk analysis is?

• A. Quantitative risk analysis is the planning and quantification of risk responses based on probability and impact of each risk event.
• B. Quantitative risk analysis is the process of prioritizing risks for further analysis or action by assessing and combining their probability of occurrence and impact.
• C. Quantitative risk analysis is the review of the risk events with the high probability and the highest impact on the project objectives.
• D. Quantitative risk analysis is the process of numerically analyzing the effect of identified risks on overall project objectives.

Answer: D

NEW QUESTION 14
Penetration testing (also called pen testing) is the practice of testing a computer system, network, or Web application to find vulnerabilities that an attacker could exploit. Which of the following areas can be exploited in a penetration test?
Each correct answer represents a complete solution. Choose all that apply.

• A. Social engineering
• B. File and directory permissions
• C. Buffer overflows
• D. Kernel flaws
• E. Race conditions
• F. Information system architectures
• G. Trojan horses

Answer: ABCDEG

NEW QUESTION 15
Which of the following is a subset discipline of Corporate Governance focused on information security systems and their performance and risk management?

• A. Lanham Act
• B. ISG
• C. Clinger-Cohen Act
• D. Computer Misuse Act

Answer: B

NEW QUESTION 16
Which of the following documents is described in the statement below?
"It is developed along with all processes of the risk management. It contains the results of the qualitative risk analysis, quantitative risk analysis, and risk response planning."

• A. Project charter
• B. Risk management plan
• C. Risk register
• D. Quality management plan

Answer: C

NEW QUESTION 17
Certification and Accreditation (C&A or CnA) is a process for implementing information security. It is a systematic procedure for evaluating, describing, testing, and authorizing systems prior to or after a system is in operation. Which of the following statements are true about Certification and Accreditation?
Each correct answer represents a complete solution. Choose two.

• A. Accreditation is the official management decision given by a senior agency official to authorize operation of an information system.
• B. Accreditation is a comprehensive assessment of the management, operational, and technical security controls in an information system.
• C. Certification is the official management decision given by a senior agency official to authorize operation of an information system.
• D. Certification is a comprehensive assessment of the management, operational, and technical security controls in an information system.

Answer: AD

NEW QUESTION 18
You are the project manager for the NHH project. You are working with your project team to examine the project from four different defined perspectives to increase the breadth of identified risks by including internally generated risks. What risk identification approach are you using in this example?

• A. SWOT analysis
• B. Root cause analysis
• C. Assumptions analysis
• D. Influence diagramming techniques

Answer: A

NEW QUESTION 19
Which of the following recovery plans includes a monitoring process and triggers for initiating planned actions?

• A. Business continuity plan
• B. Contingency plan
• C. Continuity of Operations Plan
• D. Disaster recovery plan

Answer: B

NEW QUESTION 20
......